From a trickle to a flood – Dealing with Australia's new notifiable data breach scheme

28 March 2018

In recent years it has been hard to escape the rising numbers of high profile incidences of data breaches, where the private information of individual customers or clients is stolen, leaked or merely lost by companies and government entities who have been entrusted with that information.

In Australia, Parliament recently concluded that the public’s expectations about what should occur in the event of a serious data breach are not being met, and to that end, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Amendment Act) was enacted, to introduce an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm, by way of a compulsory ‘Notifiable Data Breach Scheme’ (Scheme).

The Scheme, which came into effect on 22 February 2018, represents an important change from the existing voluntary notification scheme, and has the potential to have a significant impact on agencies and organisations with existing personal information security obligations under the Privacy Act 1988 (Privacy Act).

This article will provide an overview of the new Scheme, including the reason for the recent changes, before considering some of the potential implications, and concluding with some practical tips to help lawyers and their clients assess whether they are dealing with a notifiable data breach, and understand what to do if that is the case.

Current position

Prior to the Scheme, Australia had a voluntary notification scheme, where the Office of the Australian Information Commissioner (OAIC) recommended notification as best practice for entities subject to personal information security obligations under the Privacy Act. The previous scheme involved a ‘real risk of serious harm’ test,1 and was criticised for its perceived deficiencies, including findings that serious data breaches were being underreported, making it hard to gain a clear and true understanding of the extent of the problem.2

There were also inconsistencies in how entities chose to participate in the voluntary scheme (leading to notification practices that do not reflect community expectations), as well as significant delays in making notifications3 that increased the potential cost and impact of the data breach on the individual, for example, by increasing the risk of identity theft.4
In addition, the lack of mandatory requirements for an entity to notify individuals of data breaches involving their personal information did not align with community expectations that an organisation should inform them if their personal information is lost.5

Why the change?

Studies and anecdotal evidence suggest that breaches of data security are increasing in frequency and scope,6 and there are numerous reports providing details of the magnitude and costs of data breaches and the linked issue of identity crime.7

In this respect, it must be acknowledged that the types of personal information used to commit identity crime are increasingly being collected and stored in databases held by a variety of government agencies and private sector organisations, and the aggregation of this information, particularly in electronic forms that are accessible online has also increased the risk that information may be acquired through data breaches, either accidentally or through deliberate attempts to steal personal information.8

The Scheme has accordingly been introduced in light of significant increases in data breaches in recent years – in terms of not only size, but also number and significance9 – and a recognition that in those circumstances the current voluntary notification scheme does not meet community expectations.

The Scheme
When does the Scheme commence?

The Scheme commenced on 22 February 2018 and applies to eligible data breaches that occur on or after that date.10 A data breach discovered before 22 February 2018 is not subject to the Scheme. Similarly, if the breach is discovered after 22 February 2018, but the breach occurred prior to that date, the breach is not an eligible data breach for the purposes of the Scheme.

However, certain data breaches may occur over a period rather than at a discrete point in time. For example, a system may be compromised by an attacker before 22 February 2018, with data subsequently stolen both before and after 22 February 2018. In a situation like this, entities have been advised to assume that the breach is subject to the Scheme, and to act accordingly.11

What information is covered?

Information generally covered by the Privacy Act will be caught by the Scheme – this includes personal information (i.e. information about an individual who is identified or reasonably identifiable), credit reporting and credit eligibility information and tax file number information.

Who has to notify?

The Scheme applies to entities that are currently obliged under Australian Privacy Principle (APP) 11 of the Privacy Act to protect the personal information they hold.12 Collectively known as ‘APP entities’, these include most Australian Government agencies, some private sector and not-for-profit organisations, credit reporting bodies, credit providers, tax file number (TFN) recipients, and all private health service providers.

An APP entity can be an agency or an organisation, which means it can be a body corporate, a partnership, any other unincorporated association or a trust. The main threshold requirement is an annual turnover of $3 million in the previous financial year, although one can still be an APP entity without meeting that threshold if one provides certain nominated services – for example, health service providers and entities that hold health information other than in an employee record will be APP entities for the purposes of the Scheme, as will entities that disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else (unless they do so with consent, or are required or authorised by or under legislation to do so).

The definition of APP entity generally does not include small business operators, registered political parties, state or territory authorities, or a prescribed instrumentality of a state.13 A small business operator (SBO) is defined as an individual (including a sole trader), body corporate, partnership, unincorporated association, or trust that has not had an annual turnover of more than $3 million in any financial year since 2001.14

Generally, SBOs do not have obligations under the APPs unless an exception applies.15 However, if a SBO falls into one of the following categories, they are not exempt and must comply with the APPs, and therefore with the Scheme, in relation to all of their activities:

  1. Entities that provide health services;
  2. Entities related to an APP entity;
  3. Entities that trade in personal information;
  4. Credit reporting bodies;
  5. Employee associations registered under the Fair Work (Registered Organisations) Act 2009; and
  6. Entities that ‘opt-in’ to APP coverage under s 6EA of the Privacy Act.

Similarly, if a SBO which is not otherwise exempt carries on any of the following activities, it must comply with the APPs (and with the Scheme), but only in relation to personal information held by the entity for the purpose of, or in connection with, those activities:

  1. Providing services to the Commonwealth under a contract;
  2. Operating a residential tenancy data base;
  3. Reporting under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
  4. Conducting a protected action ballot; and
  5. Information retained under the mandatory data retention scheme, as per Part 5-1A of the Telecommunications (Interception and Access) Act 1979.
Which breaches are notifiable?

A data breach could range from a sophisticated hack into an organisation’s computer systems to grab highly confidential and sensitive information, right through to a low-level employee who leaves his or her iPhone (with email access) in a bar.

An eligible data breach for the purposes of the Scheme takes place where:16

  1. There is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
  2. The access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
  3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

Thus, not all unauthorised access to personal information will constitute an “eligible data breach”; there is a seriousness threshold in terms of the likely harm to any of the affected individuals, and consideration must also be given to the ability of the entity to mitigate that harm.

This structure reflects the fact that it is not intended that every data breach be subject to a notification requirement – for example, it would be inappropriate for minor breaches to be notified because of the administrative burden that may place on entities, the risk of ‘notification fatigue’, and the lack of utility where notification does not facilitate harm mitigation.17

Assessing eligible data breaches

The first step in deciding whether an eligible data breach has occurred involves considering whether there has been a data breach; that is, has there been unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information?18

Somewhat unhelpfully, the Privacy Act does not define these terms, but the OAIC has provided guidance as to their likely interpretation, as follows:

  1. Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
  2. Unauthorised disclosure occurs when an entity makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
  3. Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure. For example, this might be where an employee of an entity leaves personal information (hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport or in a café.

However, it is important to note that if personal information is lost in circumstances where subsequent unauthorised access to or disclosure of the information is unlikely (for example, because the information is remotely deleted before an unauthorised person could access the information), there will be no eligible data breach.19

The second step involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was compromised in the data breach.

For the purposes of the Scheme, a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. What is reasonable can be influenced by relevant standards and practices, and the phrase ‘likely to occur’ means the risk of serious harm to an individual is more probable than not (rather than possible).

Therefore, to give rise to an eligible data breach, a reasonable person would need to be satisfied that the risk of serious harm occurring is more probable than not.

Although ‘serious harm’ is not defined in the Privacy Act, it is expected that in the context of a data breach, serious harm to an individual could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.

However it is worth noting that whilst individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this alone would not itself be sufficient to require notification, unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm.20

The chance that a relevant individual will experience serious harm increases as the number of people whose personal information was part of the data breach increases. It would therefore be prudent for an entity to assume that a data breach that involves the loss of personal information of a very large number of individuals is likely to result in serious harm to at least one of them, unless the context or circumstances would clearly support this not being the case.

When determining whether or not access or disclosure would be likely to result in serious harm, entities should have regard to the following non-exhaustive list of factors (which are set out in s26WG of the Privacy Act):

  1. The kind of information in question;
  2. The sensitivity of the information;
  3. Whether the information is protected by one or more security measures (and the likelihood that any of those security measures could be overcome);
  4. The persons or kind of persons who have obtained or who could obtain the information;
  5. Whether a security measure was used to make the information unintelligible or meaningless to those who are not authorised to obtain the information (and whether that technology can be circumvented);
  6. The nature of the harm; and
  7. Any other relevant matters.

It would also be a good idea to consider the likelihood of a particular harm occurring, as well as the anticipated consequences for individuals whose personal information is involved in the data breach if that harm materialises, as there are a broad range of potential harms or circumstances that could follow a data breach, including:

  1. Identity theft;
  2. Significant financial loss by the individual;
  3. Threats to an individual’s physical safety;
  4. Loss of business or employment opportunities;
  5. Humiliation, damage to reputation or relationships; and/or
  6. Workplace or social bullying or marginalisation.

Given that some of the matters referred to above involve overlapping considerations, the OAIC recommends that when deciding whether or not there’s a likelihood of serious harm, an entity should focus on three primary matters:

  1. The type or types of personal information involved in the data breach. Some kinds of personal information are more likely to cause an individual serious harm if compromised, whereas fairly innocuous information, such as someone’s name alone or an email address out of context, may involve less risk. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:
  1. ‘sensitive information’, such as information about an individual’s health;
  2. documents commonly used for identity fraud (including Medicare card, driver’s licence, and passport details);
  3. financial information; and
  4. a combination of personal information (rather than a single piece of personal information).21
  1. The circumstances of the data breach. Assessment in this respect may include asking queries such as:
  1. Whose personal information was involved in the breach? Certain categories of people (for example young persons and vulnerable individuals) may be at a greater risk of serious harm. Conversely, a data breach involving the names and addresses of individuals might not, in various circumstances, be likely to result in serious harm to an individual, particularly if that information is already publicly available. However, if the entity knows that the information involved primarily relates to a vulnerable segment of the community, this may increase the risk of serious harm.
  2. How many individuals were involved? If the breach involves the personal information of a large number of individuals, the scale of the breach may affect an entity’s assessment of likely risks. Even if an entity considers that each individual will only have a small chance of suffering serious harm, if the personal information of enough people is involved in the breach, it becomes more likely that some of those individuals will experience serious harm.
  3. Do the circumstances of the data breach affect the sensitivity of the personal information? A breach that may publicly associate an individual’s personal information with a sensitive product or service they have used could increase the likelihood of serious harm. For example, a data breach involving an individual’s name may involve a risk of serious harm if the entity’s name links the individual with a particular physical or mental health service. Another example is the Ashley Madison data breach of July 2015, which involved the personal details of 37 million users being compromised and threatened with release – the risk of harm here was amplified because of the nature of the business that was hacked.
  4. Is the personal information adequately encrypted, anonymised, or otherwise not easily accessible? A relevant consideration is whether the information is rendered unreadable through the use of security measures to protect the stored information, or if it is stored in such a way that, even if a breach occurs, it cannot be used. In considering whether the security measures (such as encryption) that have been applied are adequate, the entity should consider whether the method is an industry-recognised secure standard at the time the entity is making the assessment, and have regard to whether the unauthorised recipients of the personal information would have the capability to circumvent these safeguards. For example, an entity should not assume data is secure simply because it is encrypted, if in fact the attacker holds both the data and the key needed to decrypt that data.
  5. What parties have gained or may gain unauthorised access to the personal information? For example, the unauthorised disclosure of an individual’s criminal record to someone who knows that individual personally may significantly increase the risk of serious reputational harm for that individual. Similarly, where a third party appears to target personal information of a particular individual or group of individuals, this may increase the risk of serious harm if it makes it more likely that the personal information will be used for malicious purposes.
  1. The nature of the harm. In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harms that may follow a data breach. It may be helpful for entities assessing the likelihood of harm to consider a number of scenarios that would result in serious harm and the likelihood of each.

In summary, the test is whether a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as result of the unauthorised access or disclosure.

If a reasonable person would not conclude that there is a likely risk of serious harm, then notification would not be required in the first place, as it is not an eligible data breach.

However, if a reasonable person would conclude that the data breach might cause serious harm, an entity still needs to notify, even if it is not aware of any actual or particular harm i.e. a failure to notify can occur without serious harm in fact taking place – if there is a likely risk of serious harm to the affected individuals, entities may be penalised merely for the failure to notify, even without actual harm transpiring.

It is also important to note that it is not just an entity’s own breaches which might give rise to liability – for the purposes of the eligible data breach definitions, if an APP entity has disclosed information to an overseas recipient who holds the personal information, and the APP entity is responsible for the recipient’s compliance with the APPs under the Privacy Act, then the APP entity is deemed to be holding that information, and will be deemed responsible for any breaches in relation to that information (i.e., you may be responsible for breaches by other parties in your supply chain).

Contractual and operational protections should be implemented to manage the notification process – this is discussed in further detail below.

How and when must notification be provided?

In the event of a data breach, an entity’s first step should be to contain the breach where possible and, if possible, take remedial action. It should at the same time commence the assessment process outlined above to determine whether the data breach is likely to be an ‘eligible’ breach for the purposes of the Scheme.

The Scheme is designed so that only serious (‘eligible’) data breaches are notified. Where the breach is ‘eligible’ and serious harm cannot be mitigated through remedial action, the entity must provide a statement to the Commissioner as soon as practicable, and also notify individuals about the data breach as soon as practicable after the statement has been prepared.

You must notify when:

  • You have reasonable grounds to believe that an eligible data breach has happened; or
  • You are directed to do so by OAIC.

If an entity is required to notify, it must prepare a statement about the breach, and give a copy to the OAIC as soon as practicable after becoming aware of the breach. The statement must:

  • Set out the entity’s identity and contact details;
  • Include a description of the eligible data breach;
  • Detail the kind/s of information concerned; and
  • Set out recommendations about the steps that individuals should take in response to the eligible data breach.

If the breach may have also affected other entities, the statement should also set identify those entities and provide contact details for them.

Then, if doing so is practicable, reasonable steps must be taken to provide that statement to each of the individuals to whom the relevant information relates. Alternatively, if it is practicable to do so, the entity should provide the statement to each of the individuals who is at risk as a result of the eligible data breach. If neither of those alternatives is practicable, the entity must publish a copy of the statement on its website and take reasonable steps to publicise that.

However, in some circumstances, notification will not be required straight away – if there are reasonable grounds to suspect (but insufficient grounds to form a belief) that there may have been an eligible data breach, but an entity is not certain, then it must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach, and take all reasonable steps to ensure that the assessment is completed within 30 days after it becomes aware.

Assessment – suspicion of eligible breach

If an entity only has reason to suspect that there may have been a serious breach, it needs to move quickly to resolve that suspicion by assessing whether an eligible data breach has occurred.22 If, during the course of an assessment, it becomes clear that there has been an eligible breach, then the entity needs to promptly comply with the notification requirements (unless it is able to sufficiently remedy the breach – see further below).

Whether an entity is ‘aware’ of a suspected breach is a factual matter in each case, having regard to how a reasonable person who is properly informed would be expected to act in the circumstances.

The OAIC expects entities to have reasonable and appropriate practices, procedures, and systems in place to comply with their information security obligations under APP 11, so as to enable suspected breaches to be promptly identified, reported to relevant personnel, and assessed if and as necessary. For instance, if a person responsible for an entity’s compliance, or someone with appropriate seniority, becomes aware of information that suggests a suspected breach may have occurred, an assessment should then commence straight away – an entity should not unreasonably delay commencing an assessment of a suspected eligible breach, for instance by waiting until its CEO or Board is aware of information that would otherwise trigger reasonable suspicion of a breach within the entity.

If a data breach affects one or more other entities, and one entity has assessed the suspected breach, the other entities are not required to also assess the breach.23

However, if no assessment is conducted, then, depending on the circumstances each entity that holds the information may be found to be in breach of the assessment requirements. As noted above, the Scheme does not prescribe which entity should conduct the assessment in these circumstances. It is reiterated that entities should establish clear arrangements where information is held jointly, so that it can be sure that assessments will be carried out quickly and effectively.

The assessment must be ‘reasonable and expeditious’.24 The OAIC has indicated that it expects that wherever possible entities will treat 30 calendar days (from the day the entity became aware of the grounds or information that caused it to suspect an eligible data breach)25 as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time.

Where an entity cannot reasonably complete an assessment within 30 days, OAIC recommends that it should document why, so that it is able to demonstrate that all reasonable steps have been taken to complete the assessment within 30 days, the reasons for the delay, and that the assessment was reasonable and expeditious in all the circumstances.

The Privacy Act does not set out how entities should assess a data breach, and organisations may develop their own procedures for assessing a suspected breach. In this respect, the OAIC suggests that an assessment could involve a three-stage process:

  1. Initiate: Firstly, upon suspicion of an eligible data breach, an entity needs to initiate an assessment. What that will mean in practice is identifying which person or group will do the assessment and what will be involved;
  2. Investigate: Quickly gather relevant information about the suspected breach, including, for example, what personal information is affected, who may have had access to the information and the likely impacts. At this stage, it’s about gathering as much information as possible to try to determine whether or not there’s been an eligible breach; and
  3. Evaluate: Whoever is doing the assessment needs to look at that information and make a decision based on the evidence about whether there’s an eligible data breach.

The OAIC has said that it expects that an entity’s “business as usual” approach to data breach management, including its data breach response plan, will be reviewed and updated to incorporate the requirements of the Scheme for assessing suspected eligible data breaches.

Exceptions to notification obligations

The most universally applicable exception to the Scheme’s requirement to notify is where effective remedial action (positive steps to address a data breach in a timely manner) is taken such that the risk of serious harm is eliminated.

If the remedial action prevents the likelihood of serious harm occurring for any individuals whose personal information is involved in the data breach, then the breach will not be an eligible data breach for that entity, or for any other entity.26

Similarly, if the remedial action prevents the likelihood of serious harm to some individuals within a larger group of individuals whose information was compromised in a data breach, notification to those individuals for whom harm has been prevented is not required (although the other individuals for whom harm is not prevented will still need to be notified).

For breaches where information is lost, the remedial action is adequate if it prevents the unauthorised access or disclosure of personal information.27

At any time, including during an assessment, an entity can, and should, take steps to reduce any potential harm to individuals caused by a suspected or eligible data breach. If remedial action is successful in preventing serious harm to affected individuals, notification will not be required.

Beyond remediation, there are some other exceptions to the notification requirements set out in s 26WP of the Amendment Act, which relate to:

  1. Eligible data breaches of other entities;
  2. Enforcement related activities;
  3. Inconsistency with secrecy provisions or other legislative requirements; and
  4. Declarations by the Commissioner.
Other entities

If more than one entity jointly and simultaneously holds the same record of personal information, an eligible data breach of one entity may also be an eligible data breach of each of the other entities.

This situation could potentially arise in cases involving outsourcing, joint ventures or shared services arrangements. For example, if one entity stores personal information in an online platform provided by another entity, and both entities ‘hold’ the information (as per the existing definition in subsection 6(1) of the Privacy Act), an eligible data breach involving that information could be an eligible data breach of both entities for the purposes of the Scheme.

If an eligible data breach involves personal information held by more than one entity, only one of the entities needs to notify the Commissioner and individuals.28 The Amendment Act does not specify which entity must notify, in order to ensure the Scheme allows entities flexibility in making arrangements appropriate for their business and their customers.

The OAIC suggests that generally the entity with the most direct relationship with the individuals at risk of serious harm should notify, as such an approach will be more likely to allow individuals to better understand the notification, and how the eligible data breach might affect them.

Notwithstanding that only one entity is obliged to actually undertake the notification, it is still the responsibility of each entity involved in an eligible data breach to be sure that the requirements of the Scheme are being met.

If none of the entities involved in a supply chain takes responsibility for conducting the assessment (and if so required, providing the necessary notification), then all of the entities involved may be found to have breached the notification requirements of the Scheme.29 Entities should therefore make arrangements in advance of any potential breach about compliance with Scheme requirements with any other entities in their supply chains, including deciding who will be responsible for notification to individuals at risk of serious harm, and how that process should occur. Such arrangements should also detail the obligations on each party to notify the other parties in the chain of a breach or suspected breach.

This is likely to require a review of an entity’s current arrangements, and should also be considered in service agreements or other relevant contractual arrangements when entering into new agreements after the commencement of the Scheme.

Enforcement activities

An enforcement body30 does not need to notify individuals about an eligible data breach if its chief executive officer believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement related activity31 conducted by, or on behalf of, the enforcement body.32

Inconsistency with other legislative provisions

Section 26WP of the Amendment Act contains exceptions which are intended to preserve the operation of specific secrecy provisions in other legislation, a common purpose of which is to prohibit the unauthorised disclosure of client information.

Most secrecy provisions allow the disclosure of information in certain circumstances, such as with an individual’s consent where the information relates to them, or where the disclosure of information relates to an officer’s duties, or the exercise of their powers or functions. If an eligible data breach occurs, agencies should apply the exceptions under s 26WP only to the extent necessary to avoid inconsistency with a secrecy provision.

Where an entity is already required to notify under the My Health Records Act 2012, then there is no obligation to notify under the Privacy Act.

Where so directed

In some circumstances, the OAIC may declare by written notice that an entity does not need to comply with the Scheme notification requirements (s 26WQ). The purpose of the declaration by the Commissioner is to provide an exception where compliance with the Scheme requirements would otherwise conflict with the public interest. An entity will therefore not be obliged to notify individuals about an eligible data breach if it is directed by the OAIC not to do so.

Likely impact
What happens where there is a failure to notify?

The OAIC has a number of roles under the Scheme. These include receiving and assessing notifications of eligible data breaches, and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the Scheme.

The OAIC is also responsible for encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance.

Failure to comply with a data breach notification obligation is deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act 1988 (Cth).

This will engage the OAIC’s existing powers to investigate, make determinations and provide remedies in relation to noncompliance with the Privacy Act. This includes the capacity to undertake Commissioner-initiated investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.”33

This approach allows for the use of less severe sanctions – such as public or personal apologies, compensation payments or enforceable undertakings – before elevating to a civil penalty, which would only be applicable where there has been a serious or repeated noncompliance with mandatory notification requirements.

Civil penalties (of up to $360,000 for individuals and $1.8m for corporations) can be imposed by the Federal Court or Federal Circuit Court following a successful application by the OAIC.34

At this stage, the potential flow-on impact of a finding that an entity has, by virtue of a failure to comply with the Scheme’s notification requirements, interfered with the privacy of an individual is unknown, but it does not seem outside the realms of possibility that such a finding could lead to increased risks of claims in negligence, claims for breaches of directors duties, or claims for breaches of contracts (in particular where there is potential for joint liability amongst several entities in a supply chain, and where arrangements about those obligations have been agreed but not complied with).

What next?

The scheme commenced on 22 February 2018. Entities to whom the scheme applies should by now have prepared, or be preparing, data breach response plans, and be ready to act quickly in the event of an eligible breach.

Where to go for more information?

More information and other resources can be found at OAIC’s Notifiable Data Breaches Scheme website – click here.

The OAIC has been actively promoting the change, and preparing guidance for businesses to assist with complying with the scheme. Given the OAIC will receive notifications of eligible data breaches and handle complaints, conduct investigations and take other regulatory action in instances of noncompliance, its guidance is of enormous value. In particular the OAIC has published a comprehensive guide to securing personal information, and guides to handling personal information security breaches and to developing data breach response plans.

However, given what is at stake and the urgency with which a business should respond in the event of an eligible data breach, most entities (and in particular those for whom the impact of a failure to notify would be significant) should look at preparing a bespoke data breach response plan. Entities should also undertake regular reviews and audits of their prevention plans and personal information security practices.


As the volume and type of personal information collected by entities has increased in recent years, so has the incidence of significant data breaches moved from a trickle to a flood. With that movement comes increased risk of serious harm – in the form of identity theft, financial loss, threats to safety and damage to reputation or relationships.

Recent amendments to the Privacy Act, to introduce a mandatory notification scheme for data breaches that are likely to cause serious harm to the individuals whose personal information has been compromised, are intended to provide increased accountability for the entities holding personal information, and a measure of comfort for individuals that, in the event of a breach involving their personal information, they will be notified and able to take appropriate steps to reduce the risk of harm that may arise as a result.

Entities subject to the Scheme should be mindful of their obligations, the relevant time frames, and the consequences for non-compliance. Prudence and best practice would suggest that now is a good time to review personal security practices, including arrangements where personal information is held by more than one entity in a supply chain, and to ensure that a suitable data breach response plan is put into place before the unfortunate, but increasingly likely, event of a data breach.

This article was written by Peter Campbell, Partner and Rebecca Sandford, Senior Associate.

Peter Campbell
P: +61 8 8205 0836


2Explanatory Memorandum (EM), [69].
3EM, [70]
4EM, [80].
5EM, [68]; Community Attitudes to Privacy survey Research Report 2013, Office of the Australian Information Commissioner, 2013 (Community Attitudes Report), page 5. One important and consistently reported figure from that report is that is 94% of people said that they should be told if their information is lost by a business.
6EM, [89] and see list of examples at EM, [90].
7EM, [91].
8EM, [75].

10Section 6 of the Amendment Act provides that the scheme applies to incidents where personal information is subject to unauthorised access or disclosure, or is lost, following the scheme’s commencement.
12Amendment Act s26WE(1)(a). 
13Privacy Act, s 6C.
14Ibid s 6D.

15Ibid s 6D(4).
16Amendment Act, s 26WA
17See also EM, [11].
18Ibid, s 26WE(2).

19Ibid, s 26WE(2)(b)(ii)
20See also EM, [9].
21For more detail see 
22Amendment Act s 26WH(1)
23Ibid s 26WJ
24s 26WH(2)(a)
25Ibid s 26WH(2)
26Amendment Act, s 26WF(1), s 26WF(2), s 26WF(3).
27Ibid, s 26WF(3)
28Amendment Act s 26WM; see also EM page 4 [12].
29Amendment Act, s 26WL
30For definition of “enforcement body”, see APP Guidelines B.70 – includes, inter alia, entities such as the Australian Federal Police, Customs, the Immigration Department, ASIC, state police forces and ICAC bodies.

31For definition of “enforcement related activity”, see APP Guidelines B.71.
32Amendment Act s 26WN
33Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) at [28]
34Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) at [29]; EM, [10]; Privacy Act, s 13G – Serious or repeated interferences with the privacy of an individual attract a maximum penalty of 2,000 penalty units for individuals and 10,000 penalty units for bodies corporate

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us